gosu carries many CVE and appears unused

[jrwren]

Would you be open to a patch which removes the unused gosu?

[AustinMutschler]

While gosu is not unused, I agree that it should be removed. They have had a CVE for a few months now because they are compiling with an EOL Go version. When asked to upgrade, the maintainer did but then never released a new build. This is not acceptable in most company security policies. I agree with the maintainer of gosu that it has no impact, I do not agree that there is no reason to release a new version.

Redis used gosu for the "--user" entry flag. Is there a way we can do this without gosu?

[jrwren]

Similar to redis/docker-library-redis#401 (comment)

I believe that ubuntu (edit: sorry, debian) already has runuser OOTB and alpine can apk add runuser to get the same functionality as gosu.

update: never mind. The semantics of runuser are not the same as gosu and rather than exec it does fork and exec.

[tianon]

setpriv is the alternative you're probably looking for.

[roshkhatri]

Closing this as we have replaces gosu with setpriv